Just when you thought you were seeing daylight again after those years of GDPR compliance work… and what does the State of California go and do? That's right - enact the California Consumer Privacy Act 2018 (CCPA) – a new privacy law designed specifically to protect Californian residents that has sort of the same but not the same requirements as the GDPR. Excellent!
So, as an EU lawyer with GDPR fatigue, you may be thinking "We just got through GDPR… here we go again?" You've already spent months (if not years), plus the entire decade's legal budget on GDPR compliance. What you want to know is the bare minimum and the additional compliance obligations the CCPA gives rise to for a GDPR compliant(ish) business.
This is the first of a number of blog posts intended to do precisely that – to condense the key takeaways and compliance actions for the CCPA but directed, in particular, to companies that want to leverage the work they have already done for GDPR to meet the CCPA's compliance obligations.
This first blog post focuses on introducing the CCPA and its key concepts, its general scope of application, and the Notice requirements.
What is the CCPA?
The CCPA was passed by the California State Legislature and signed into law by Governor Jerry Brown on June 28, 2018.
It's famous for having been hastily passed by the Legislature after only a week of debate. As a result, there is still uncertainty around the scope of the CCPA, and many of the provisions within it require further clarification.
The Attorney-General is required to adopt "regulations" (essentially, more detailed guidance on how businesses can comply) before July 1, 2020 - and everyone is waiting with baited breath.
The CCPA is effective on January 1, 2020 with enforcement to begin six months after the adoption of the Attorney-General's regulations, or July 1, 2020, whichever is sooner.
First things first…
One very significant difference between the GDPR and CCPA that should be called out upfront. The GDPR is intended to be a holistic and completely overarching framework that governs the handling of all EU personal data. The CCPA, however, is really something much smaller. The CCPA is a limited set of rights given to Californian residents covering some of their personal data – many of these rights may look very much like the GDPR, but the CCPA requirements are nowhere near the same level of scale and scope as the GDPR.
So don't worry – this isn't GDPR all over again. The CCPA is something that can hopefully be managed on a much smaller scale.
Step 1: Does the CCPA apply to you?
The CCPA has worldwide effect and applies to any company "doing business in California". This concept isn't defined in the CCPA but it's generally understood by Californians (based on interpretation of similar language by the Californian Franchise Tax Board) that it refers to companies that "actively engage in any transactions for financial or pecuniary gain."
A bit like the GDPR, the CCPA applies mainly to businesses that are controllers of personal information. Although it doesn't use the word "controller", the CCPA's definition of a "business" is of an entity that "determines the purposes and means of the processing of consumers' personal information" (just like the definition in the GDPR).
In order for the CCPA to be applicable, the business should meet one of three thresholds:
Has annual gross revenue of over $25m;
Buys, receives, sells or shares the personal information of 50,000 or more Californian residents, households or devices per year; or
Derives more than 50% or more of annual revenue from selling California consumers' personal information.
Note that companies that share "common branding" with such a business will also end up being subject to the CCPA (presumably, regardless of whether that business itself meets the above threshold requirements).
Step 2: What personal information is caught by the CCPA?
The CCPA's definition of personal information is very similar, in effect practically the same, as under the GDPR. It defines "personal information" as:
"…information that identifies, relates to, describes or is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household".
I suppose one difference is that the CCPA's definition captures personal information relating to a "household", which the GDPR doesn't do expressly. However, it's difficult to imagine many scenarios where a business would be collecting personal information about a "household" (think a video streaming service shared by a family, or a Nest thermostat tracking the activities of people in a house) which wouldn't also be caught by the GDPR. There might be an argument that if the household had so many individuals within it that it was practically impossible to know which particular person's activity was being tracked, that it would not amount to personal data under the GDPR but would under the CCPA – but that's probably a very limited, unlikely exception.
One of the interesting things about the CCPA is that it gives a very comprehensive list of examples of personal information (which the GDPR doesn't). Although it is all data that would be caught by the GDPR, the legislation leaves it in no doubt as to what kinds of identifiers and device data would fall within its remit. Examples expressly cited include:
Identifiers: including unique personal identifiers (which includes cookies, beacons, pixel tags, mobile adIDs, unique pseudonyms, probabilistic identifiers, a telephone number); online identifiers; IP addresses; account names; etc.
Biometric data: such as DNA for the purposes of identification; face, retina, fingerprints; voice recordings; keystroke patterns; sleep, health and exercise data,
Internet or other electronic network activity information: such as browsing history; search history; clickstream data; a consumer's interaction with an online ad; etc.
Inferences drawn from any of the information to create a profile about a consumer: including their preferences, characteristics, psychological trends, preferences, predispositions, behaviour, attitudes, intelligence, abilities, and aptitudes.
Certain data is excluded from the CCPA – such as personal information made available in federal, state or local government records (i.e. "publicly available data"), de-identified or aggregated data, and information covered by other US privacy legislation (such as medical information under HIPPA, information protected by Gramm-Leach Bliley and Driver's Privacy Protection Act).
Step 3: Understanding the 3 key concepts: "collection", "sale" and "disclosure for business purposes"
The CCPA's rights and obligations center around 3 key concepts, so it's worth taking a little time to understand these first:
The concept of "collection" is simple enough and includes any kind of receipt or access to personal information, including receiving data "actively or passively, or by observing the consumer's behaviour".
"Sale" is defined as essentially any kind of disclosure to another business or third party "for monetary or other valuable consideration".
"Disclosure for a business purpose" is a very broad concept, referring to disclosures to a third party for a range of standard operational purposes - like performing services, detecting security incidents, protecting against fraud / illegality, debugging, analysing ad impressions, maintaining or servicing customer accounts, customer services, processing orders, payments, marketing, analytics, internal technological research, QA and so on.
So "disclosure for a business purpose" seems to capture all disclosures to third party vendors providing services as a pure processor. On the other hand, the "sale" of personal information potentially catches any disclosure to a third party falling outside of that. For example, it could include collecting personal information through cookies for targeted advertising purposes, sharing personal information with a third party for marketing partnerships, or sharing data with a service provider who uses personal information to enrich their own data-sets, training machine learning models, or for technological research.
Step 4: Understanding the 5 core rights under the CCPA
Let's park those concepts for a minute. An understanding of "collection", "sale" and "disclosure for business purposes" is essential for understanding the 5 core consumer rights introduced by the CCPA:
The right to opt out
The right to non-discrimination
In this first blog post, we will explore the Notice requirement. The other rights will be explored in posts to come.
The Notice requirements
The CCPA requires businesses to include specific information in their Privacy Notices. Many of these items are typical transparency items - things you are likely to have already included under GDPR such as: the categories of personal information collected, the purposes for the collection, the categories of third parties with whom you share personal information, the categories of sources of the personal information, etc.
The good news is that businesses will be able to leverage the Privacy Notices they have already put in place for GDPR. There are a few additional CCPA-specific disclosures – and you'll most likely want to include these in a section of your Privacy Notice directed specifically to Californian residents.
So presuming you already have a GDPR standard Privacy Notice, then the following are CCPA specific disclosures that will likely need to be added:
A description of the Californian consumer’s CCPA rights (i.e. access, deletion, right to opt out) and the designated methods for submitting such requests (i.e. businesses must have a toll free number and web address).
The CCPA appears to require more granular lists relating to the categories of personal information “collected”, “sold” and “disclosed for a business purpose” in the past 12 months. The level of detail expected for this is yet to be seen/clarified (e.g. whether three separate lists need to provided breaking the personal information down into each category; or whether more generic disclosures will suffice);
The specific business or commercial purposes for the collection and sale of personal information (again, the level of granularity required is unclear but it could require setting out each business purpose and the PI collected, or sold, for each);
If no personal information is "sold" or "disclosed for a business purpose", then the Privacy Notice must state so expressly; and
A separate link to the “Do Not Sell My Personal Information” internet webpage (which will be discussed in later blog posts) should be included.
More to come…
That's it for our first blog post. In the next ones, we will be exploring the rights to access, deletion and opt out, and how they differ to the GDPR data subject rights. Watch this space :)
Sign up to our email digest